April Breslaw is a Regulatory Advisor with Treliant. She has held multiple leadership positions at federal financial regulatory agencies, including Deputy Assistant Director, Office of Supervision Policy, at the Consumer Financial Protection Bureau (CFPB), which she joined as it was being built in 2010. Her other roles have included Chair…
Over six years ago, the Office of the Comptroller of the Currency (OCC) triggered reconsideration of governance frameworks across the financial services industry when it announced its expectation that large financial institutions adopt a three-lines-of-defense risk management framework. Although the OCC’s message targeted banks with over $50 billion in assets, the three-lines-of-defense framework has also come to be accepted as best practice by smaller banks and some FinTechs. But has the framework actually been implemented?
In practice, many banks under the $50 billion threshold are still building parts of their frameworks. In particular, they are assembling testing teams in the second line of defense, i.e., compliance and risk management. And, as we noted in our previous article (Unfinished Compliance Risk Management Business in 2020: Building the First Line of Defense), even banks with $100 billion in assets continue to struggle to deploy the first line of defense in their front-line business operations.
This article focuses on the pivotal compliance-testing team—and how financial services companies can put one in place to greatest effect for regulatory risk management and other business purposes.
Compliance-Testing Teams Are a Breed Apart
As members of the second line of defense, compliance-testing professionals assess first-line controls separately from first-line monitoring, and they escalate trends and issues to the board of directors and executive management. Within compliance departments, the scope of testing responsibilities varies. However, at minimum, compliance testing typically assesses adherence to legal requirements related to consumer protection. Such testing is also aligned with adherence to internal policies and industry best practices intended to facilitate compliance and quality customer service.
The characteristics of compliance-testing staff differ from those of compliance advisory colleagues, who are more involved in the strategy, design, and direction of the compliance program. Testing professionals should possess many of the same skills, and apply the same approach, that auditors often possess and apply. Compliance testing is a meticulous job, involving workpapers, schedules, request lists, and thousands of data files. Yet, unlike internal auditors (the third line of defense), testing professionals must also be able to nimbly monitor emerging regulatory and business risks and steadily manage longer-term testing programs.
The compliance-testing team may or may not be part of the compliance department.
Its size should be relative to the size and complexity of the bank.
Challenges with Building a Compliance-Testing Team
Why is the compliance-testing team still a work in progress at so many banks? Human resource constraints top the list of reasons. At smaller banks especially, compliance duties may represent only one of a staffer’s many diverse responsibilities, and other pressing needs tend to interfere or compete with testing. Even at bigger banks, hiring the right person can be challenging due to a shortage of compliance expertise or skills.
Elsewhere, it’s a matter of clarifying the division of duties across the three lines of defense. In any case, the federal banking regulators have not mandated the three lines-of-defense framework for all banks, just the bigger ones. Consequently, inertia can set in.
For some banks, a sense of complacency in the current deregulatory climate may be making compliance testing less of a priority—a laxness that is compounded by the fact that regulators do not tend to pursue public enforcement action against banks that fail to test compliance. However, bank examiners will continue to arrive on schedule, expecting issues to be identified and addressed, and will continue to hold bank leadership accountable for any risks, control gaps, and violations of laws they discover. Although technology holds promise for easing this difficult task, the transition itself is daunting. Therefore, compliance testing is still not very automated, especially in banks under $100 billion.
Benefits of Compliance Testing
Compliance testing can unearth improperly managed products, services, or conduct that may otherwise go undetected for long periods of time. Without an effective testing program, firms deprive themselves of critical insight into risks and control gaps, which, by the time examiners conclude that violations of laws and consumer harm have occurred, could be quite serious. Exhaustive lookbacks and expensive remediation (e.g., refunding fees or crediting interest) could be necessary to make things right with affected customers. In a worst-case scenario, a bank may have improperly foreclosed on or repossessed property.
The resulting customer service issues, reputational risks, operational disruptions, and compliance costs can be mitigated by testing more frequently. Banks should not wait for periodic audits or exposure from examiners. Further, most employees don’t want to be singled out by internal auditors. This is considered a bad mark against performance that they would rather avoid. Compliance testing can help.
Setting Up a Testing Process
Once a compliance-testing team is established, it will need to put in place a process for scheduling, planning, testing, reporting, escalating, and issue management. Questions such as what to test and when to test must be addressed.
The starting point for scheduling is typically a bank’s risk assessment for compliance. Effective risk assessments generally employ a quantitative approach to measuring “residual risk”—the remaining risk after considering the threat a risk poses and any mitigating controls—and whether risk exposure is increasing, decreasing, or stable. Banks can use these results to determine the frequency and scope of testing, as well as areas to review. Areas displaying higher residual risk or increasing risk exposure may be tested more frequently than areas that display lower risks or decreasing exposure. Based on risk rating and exposure, reviews could be scheduled more than once a year, once a year, or less frequently.
Every legal requirement under the scope of the compliance department should be included in the schedule, for each line of business and product. Some banks also include regulatory guidance in their schedules. For instance, in the area of overdraft protection, there is more regulatory guidance than actual regulation. Even so, it’s an area of risk that is often tested.
To effectively implement the schedule, extensive planning is necessary, including notifying lines of business, putting together request lists, obtaining files, ensuring the adequacy of those files, and documenting each step. These actions provide the basis for identifying exceptions and areas for improvement. Reports are compiled for leaders of business lines to review and respond to, and the compliance-testing team determines whether there is a need to escalate any issues to risk management leadership. It then tracks the matter until it is resolved.
Maintaining Interaction on an Ongoing Basis
Interaction is essential in compliance testing—both with other compliance team members and the other two lines of defense. For example, compliance-advisory staff can share their knowledge of issues to help compliance-testing staff identify targets and determine the scope of reviews.
As the second line tests the first line, it should consider any of the business-line leaders’ own evaluations—then let them review and comment on the compliance team’s findings. Third-line input is also very valuable, although internal audit tests less frequently. All assessments should be compiled in a central repository to identify and manage trends and systemic issues.
The Institute of Internal Auditors got it right when it wrote:
The stakes are high. Without a cohesive, coordinated approach, limited risk and control resources may not be deployed effectively, and significant risks may not be identified or managed appropriately. In the worst cases, communications among the various risk and control groups may devolve to little more than an ongoing debate about whose job it is to accomplish specific tasks.
The Final Analysis
Implementing a risk management framework for the three lines of defense is a daunting task. However, once in place, the framework can be very efficient and effective. Greater business confidence and fewer regulatory surprises during bank exams are just two reasons to continue pushing to the finish line.